Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Fidelis Report Reveals Most Security Alerts Not Triaged by SOCs

Security Operations Centers are unable to respond to most of the alerts that are received and lack proper metrics as well as security control integration, according to a study commissioned by Fidelis Cybersecurity.

WEBINAR:On-Demand

Fidelis Cybersecurity released its State of the SOC (Security Operations Center) report on March 21, providing insights into the current state of IT security operations.

The 16-page report was conducted by 360Velocity for Fidelis and exposes a number of shortcomings in modern SOCs. Among the highlights of the report is the finding that a high percentage of alerts are not addressed each day.

"The research found that 83 percent of surveyed companies do not even triage half of their alerts and only 6 percent triaged 75 percent or more alerts per day," Sam Erdheim, vice president at Fidelis Cybersecurity, told eWEEK. "The sheer volume of alerts that goes unaddressed each day speaks volumes about SOC inefficiencies and ultimately what is missed each and every day."

Further reading

There are multiple reasons why organizations do not investigate most of the security alerts received. One reason, according to the Fidelis report, is volume, with 60 percent of SOC analysts reporting that they are only able to handle seven to eight investigations a day.

One way to help boost efficiency in SOC operations is by integrating different security controls, but unfortunately that's not happening in most SOCs. Fidelis' report found that 70 percent of survey respondents said that at least half of their security controls were not integrated. Erdheim noted that there are certain controls that, when integrated into an SOC, can help improve response.

"A key security integration point is with breach detection and EDR [endpoint detection and response] products," he said. "For example, with the capabilities integrated, an alert from the breach detection system could be prevalidated on the endpoint, allowing for faster alert triaging and response."

Automation is another key element that can improve SOC operations. Erdheim said automating tasks such as combining similar alerts can save tremendous time by reducing duplicate efforts. He added, however, that in his view actual investigations should stay with human analysts.

Metrics

There are many different metrics used by SOCs to measure the efficiency of incident response operations. According to the study, 80 percent of respondents held the view that the metrics they use are "not effective" or "had room for improvement."

Erdheim noted that there are several common metrics used by SoCs today that he has seen Fidelis customers use, including average investigation process time, percent of alerts triaged per day, time to respond and remediate a breach/threat, and average cost per incident investigated.

"Metrics that show the alert coverage [i.e., alerts triaged vs. abandoned] is a key one as we have seen how many are ultimately abandoned, and that's a metric that is easily trackable and which can be improved upon," he said. "More strategic metrics revolve around how many investigations, or what percent of investigations were completed with a conclusion, and number of investigations that led to reprioritization of security approach."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.